Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create Malware Evasion via AV Process Detection #100

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Create Malware Evasion via AV Process Detection #100

wants to merge 1 commit into from

Conversation

malfav
Copy link

@malfav malfav commented Jan 25, 2025

Technique Name: Malware Evasion via AV Process Detection

Author Information

  • Nickname: Malfav.Win32
  • First Name: Diyar
  • Last Name: Saadi
  • Website: malfav.gitbook.io/home
  • GitHub: github.com/malfav
  • LinkedIn: Diyar Saadi

Technique Information

  • Technique Category: Defense Evasion
  • Technique Tags: Antivirus Exception, Malware Evasion
  • Technique General Detail:
This technique involves searching for active antivirus-related processes or modules and terminating execution if any are found. By detecting loaded antivirus libraries, malware can determine whether it is running in a monitored environment and exit to avoid detection.

Additional Resources:

Code Snippet Information

  • Code Snippet Author: Malfav.Win32
  • Programming Language: Python

Code

import ctypes
import psutil
import sys

def is_av_present():
    av_signatures = [
        "avghookx.dll", "avghooka.dll",  # AVG
        "snxhk.dll", "sf2.dll",  # Avast
        "sbiedll.dll",  # Sandboxie
        "dbghelp.dll",  # WindBG, WINE
        "api_log.dll", "dir_watch.dll",  # iDefense Lab
        "pstorec.dll",  # SunBelt Sandbox
        "vmcheck.dll",  # Virtual PC
        "wpespy.dll",  # WPE Pro
        "cmdvrt64.dll", "cmdvrt32.dll",  # Comodo Container
        "sxin.dll",  # 360 SOFTWARE
        "printfhelp.dll",  # Unknown Sandbox
        "ekrn.exe",  # ESET
        "avguard.exe", "avscan.exe",  # Avira
        "ccSvcHst.exe", "norton.exe",  # Norton
        "mcshield.exe", "mcupdate.exe",  # McAfee
        "fsav.exe", "fsgk32.exe",  # F-Secure
        "kav.exe", "kavsvc.exe",  # Kaspersky
        "msmpeng.exe", "mpcmdrun.exe"  # Windows Defender
    ]

    for proc in psutil.process_iter(attrs=['pid', 'name']):
        try:
            if any(av.lower() in proc.info['name'].lower() for av in av_signatures):
                print(f"Detected AV process: {proc.info['name']} (PID: {proc.info['pid']})")
                return True
        except (psutil.NoSuchProcess, psutil.AccessDenied, psutil.ZombieProcess):
            pass
    return False

if is_av_present():
    print("Antivirus detected! Exiting process to avoid detection.")
    sys.exit(0)

print("No antivirus detected. Proceeding with execution.")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@malfav